NSA’s broken Dual_EC random number generator has a “fatal bug” in OpenSSL

No plans to fix a bug in "toxic" algorithm that no one seems to use.

If a fatal flaw afflicts a critical cryptographic function used by no one, what are open-source developers to do? Until recently, such a predicament might have been regarded as a mere philosophical thought experiment, but no more.

An advisory published Thursday warns that a "FIPS module" of the widely used OpenSSL library contained a "fatal bug" in its implementation of Dual EC_DRBG. Credible doubts about the trustworthiness of the deterministic random bit generator surfaced almost immediately after National Security Agency officials shepherded it through an international standards body in 2006. In September, those fears were rekindled when The New York Times reported the algorithm may contain an NSA-engineered backdoor that makes it easier for government spies to decode encrypted communications.

The fatal Dual EC_DRBG bug resides in the FIPS Object Module v2.0, an optional OpenSSL library used to build crypto apps that are certified by the US government's Federal Information Processing Standards. When using the module's implementation of Dual EC_DRBG, the application crashes and can't be recovered. That's an amazing discovery for an application that had to undergo countless hours of testing to be certified by the government of the world's most powerful country. The silver lining seems to be that there's evidence no one has ever actually used Dual EC_DRBG in release versions of the OpenSSL module (though that in turn raises the question of why RSA's BSAFE crypto tool used the RNG by default).

"Note the bug is present in the Dual EC_DRBG only," OpenSSL Software Foundation co-founder Steve Marquess wrote in Thursday's advisory. "No other DRBG types are affected. The nature of the bug shows that no one has been using the OpenSSL Dual EC_DRBG."

Marquess went on to say there are no plans to fix the bug. Instead, Dual EC_DRBG code will be ripped out of the module and the code will be recertified.

"Given the current status of Dual EC_DRBG (now disowned by the NIST CMVP and pretty much toxic for any purpose) we do not plan to correct the bug," he wrote. "A FIPS 140-2 validated module cannot be changed without considerable expense and effort, and we have recently commenced that process of entirely removing the Dual EC_DRBG code from the formally validated module."

The takeaway from Thursday's advisory is that Dual EC_DRBG has been formally banished from yet another widely used crypto platform (with RSA's BSAFE being the other one). Before bidding a formal farewell to the algorithm, it's worth mentioning that Dual EC_DRBG was suspiciously absent from Wednesday's report issued by President Obama's advisory panel on NSA surveillance. We would have expected to see at least passing mention of it in Appendix E of the full report, the section that disclosed the US government's role in forging encryption standards. Alas, there's none.

Wow, i guess this news is important enough to make it in the front page , for an algorithm that nobody use , that has been known to be broken since 2006 , and that no developer is willing to fix because of its unimportance.

...the application crashes and can't be recovered. That's an amazing discovery for an application that had to undergo countless hours of testing to be certified by the government of the world's most powerful country.

Not really. Anybody who's familiar with these certifications knows they are kind of a joke from a computer science perspective. Validation is not verification.

Wow, i guess this news is important enough to make it in the front page , for an algorithm that nobody use , that has been known to be broken since 2006 , and that no developer is willing to fix because of its unimportance.

FIPS 140-2 *is* important and that is what makes this newsworthy.

While Jousle is trolling, I do want to say that FIPS 140-2 is a huge obstacle to swift and secure development. The timeline (6-12 months), the cost (80-100K USD) and inflexibility means that bugs stick around because no one wants to recertify. Imagine you had to pay $1 for every Linux/Windows patch; how many would you personally patch? Now imagine a $100K bugfix ...